In August 2009, a speeding Lexus with a stuck gas pedal crashed in San Diego, killing all four people aboard and spurring the ill-conceived theory that Toyota’s electronic controls were bugged. They weren’t. But as cars become rolling, autonomous supercomputers, what’s to stop an enterprising hacker from taking control of some functions . . . or causing a serious accident?

That’s the premise behind a new white paper written by Charlie Miller and Chris Valasek, the software engineers who successfully took over a Toyota Prius and Ford Escape last year to demonstrate how a modern car’s steering, brakes, and other primary controls could be compromised. Miller, a security researcher at Twitter, and Valasek, a director at computer security firm IOActive, aren’t ripping apart dashboards and causing havoc from a laptop as they did before. Their new paper, which they claim is the first security analysis of in-car networks, looks at the potential for 20 mostly late-model cars to be harmed by remote wireless attacks.

While taking over a car’s physical controls remotely is extraordinarily difficult—a recent hackathon dedicated to cracking a Tesla Model S ended up operating lights and horns—Miller and Valasek point to active safety and telematics systems that are already programmed to brake, steer, and unlock the doors, as well as perform a host of other critical tasks. If these computers can be fooled, it could be game over. The guys looked at possible ways that a hacker could access these computers via a car’s many wireless connections: Bluetooth, cellular, Wi-Fi, web browser software, telematics ECUs, keyless ignitions, and antitheft key codes. Even tire-pressure monitoring systems, which send short-range radio signals to a processor, and the Radio Data System, which downloads text information to identify radio stations and songs, were included.

A CAN (controller area network) system as seen in a 2014 Jeep Cherokee.

Bluetooth was deemed “one of the biggest and most visible attack surfaces on the modern automobile” and could involve connecting surreptitiously with an unpaired phone. Telematics systems (“the holy grail”) are also at risk; in 2011, other hackers were able to upload malicious code to an OnStar-like system and then secretly record conversations in the car. Thirdly, internet browsers and apps were deemed to be problematic by being hack-prone in a similar fashion to desktop software. Says Miller and Valasek, “Complex code is being added to vehicles, and there is no reason to believe corresponding anti-exploitation technologies are being added with them.”

That’s probably dead accurate. If anything, this paper will force automakers to have open conversations about data security and convince drivers they won’t be randomly brake-checked—or lose control over their own vehicles—on the highway. Still, auto engineers lock the dozens of computers in vehicles behind gateways and CAN bus networks, many of which are accessible only when dealers use specific automaker repair tools connected to an OBD port. What’s more, the general underlying structure is largely secret and highly guarded by automakers, even from their suppliers, for obvious reasons. But rapidly advancing technologies such as drive-by-wire steering and autonomous driving could soon mean getting antivirus updates with every oil change.